up

2025-12-13 09:37:15 +02:00
parent e00f6365da
commit 6e45066e37
349 changed files with 17160 additions and 1867 deletions
--- a/samples/reachability/README.md
+++ b/samples/reachability/README.md
@@ -0,0 +1,38 @@
+# Reachability Evidence Samples
+
+This directory contains sample payloads for reachability evidence chain documentation.
+
+## Contents
+
+| File | Description |
+|------|-------------|
+| `richgraph-v1-sample.json` | Sample richgraph-v1 callgraph with `code_id`, `symbol_id`, and `graph_hash` |
+| `openvex-affected-sample.json` | OpenVEX statement with `stellaops:reachability` extension for affected status |
+| `openvex-not-affected-sample.json` | OpenVEX statement with unreachability evidence for not_affected status |
+| `replay-manifest-v2-sample.json` | Replay manifest v2 with BLAKE3 hashes and `code_id_coverage` |
+| `runtime-facts-sample.ndjson` | Runtime observation events in NDJSON format |
+
+## Usage
+
+These samples demonstrate the function-level evidence chain described in:
+- `docs/reachability/function-level-evidence.md`
+- `docs/api/signals/reachability-contract.md`
+- `docs/contracts/richgraph-v1.md`
+
+## Verification
+
+Validate a richgraph-v1 sample:
+
+```bash
+# Compute graph hash
+stella graph verify --graph ./richgraph-v1-sample.json
+
+# Verify against manifest
+stella replay verify --manifest ./replay-manifest-v2-sample.json --verbose
+```
+
+## Schema References
+
+- richgraph-v1: `docs/contracts/richgraph-v1.md`
+- OpenVEX: https://openvex.dev/spec/v0.2.0
+- Replay manifest: `docs/reachability/function-level-evidence.md#6-replay-manifest-v2`
--- a/samples/reachability/openvex-affected-sample.json
+++ b/samples/reachability/openvex-affected-sample.json
@@ -0,0 +1,86 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@id": "https://stellaops.example/vex/2025-12-13/CVE-2021-44228-affected",
+  "author": "StellaOps Policy Engine",
+  "role": "automated-scanner",
+  "timestamp": "2025-12-13T10:00:00Z",
+  "version": 1,
+  "tooling": "StellaOps/1.0.0",
+  "statements": [
+    {
+      "vulnerability": {
+        "@id": "CVE-2021-44228",
+        "name": "CVE-2021-44228",
+        "description": "Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints."
+      },
+      "products": [
+        {
+          "@id": "pkg:oci/myapp@sha256:abc123def456789012345678901234567890123456789012345678901234abcd",
+          "identifiers": {
+            "purl": "pkg:oci/myapp@sha256:abc123def456789012345678901234567890123456789012345678901234abcd"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1",
+              "identifiers": {
+                "purl": "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "affected",
+      "justification": "vulnerable_code_in_container",
+      "impact_statement": "Vulnerable Log4j error() method is reachable from main entry point via processRequest(). Runtime probes confirm 47 invocations observed.",
+      "action_statement": "Upgrade to log4j 2.17.1 or later. As a workaround, set log4j2.formatMsgNoLookups=true.",
+      "stellaops:reachability": {
+        "state": "CR",
+        "state_description": "ConfirmedReachable",
+        "confidence": 0.92,
+        "graph_hash": "blake3:a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2",
+        "graph_cas_uri": "cas://reachability/graphs/a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2",
+        "dsse_uri": "cas://reachability/graphs/a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2.dsse",
+        "path": [
+          {
+            "symbol_id": "sym:java:bWFpbi0xMjM0NTY3ODkwYWJjZGVm",
+            "code_id": "code:java:Y29kZS1tYWluLTEyMzQ1Njc4OTBhYmM",
+            "display": "com.example.app.Main.main(String[])",
+            "purl": "pkg:maven/com.example/app@1.0.0"
+          },
+          {
+            "symbol_id": "sym:java:cHJvY2Vzc1JlcXVlc3QtYWJjZGVm",
+            "code_id": "code:java:Y29kZS1wcm9jZXNzLWFiY2RlZjEy",
+            "display": "com.example.app.RequestHandler.processRequest(HttpRequest)",
+            "purl": "pkg:maven/com.example/app@1.0.0"
+          },
+          {
+            "symbol_id": "sym:java:bG9nRXJyb3ItMTIzNDU2Nzg5MGFiY2Q",
+            "code_id": "code:java:Y29kZS1sb2ctMTIzNDU2Nzg5MGFiY2Q",
+            "display": "org.apache.logging.log4j.Logger.error(String, Object...)",
+            "purl": "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1"
+          }
+        ],
+        "path_length": 3,
+        "evidence": {
+          "static": {
+            "graph_hash": "blake3:a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2",
+            "path_length": 3,
+            "confidence": 0.92
+          },
+          "runtime": {
+            "probe_id": "probe:jfr:scan-123-001",
+            "hit_count": 47,
+            "observed_at": "2025-12-13T09:45:00Z",
+            "observation_window": "24h"
+          }
+        },
+        "fact_digest": "sha256:e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6",
+        "fact_version": 3,
+        "analyzer": {
+          "name": "scanner.java",
+          "version": "1.2.0"
+        }
+      }
+    }
+  ]
+}
--- a/samples/reachability/openvex-not-affected-sample.json
+++ b/samples/reachability/openvex-not-affected-sample.json
@@ -0,0 +1,68 @@
+{
+  "@context": "https://openvex.dev/ns/v0.2.0",
+  "@id": "https://stellaops.example/vex/2025-12-13/CVE-2023-XXXXX-not-affected",
+  "author": "StellaOps Policy Engine",
+  "role": "automated-scanner",
+  "timestamp": "2025-12-13T10:00:00Z",
+  "version": 1,
+  "tooling": "StellaOps/1.0.0",
+  "statements": [
+    {
+      "vulnerability": {
+        "@id": "CVE-2023-XXXXX",
+        "name": "CVE-2023-XXXXX",
+        "description": "Example vulnerability in deprecated API."
+      },
+      "products": [
+        {
+          "@id": "pkg:oci/myapp@sha256:abc123def456789012345678901234567890123456789012345678901234abcd",
+          "identifiers": {
+            "purl": "pkg:oci/myapp@sha256:abc123def456789012345678901234567890123456789012345678901234abcd"
+          },
+          "subcomponents": [
+            {
+              "@id": "pkg:maven/com.example/deprecated-lib@1.0.0",
+              "identifiers": {
+                "purl": "pkg:maven/com.example/deprecated-lib@1.0.0"
+              }
+            }
+          ]
+        }
+      ],
+      "status": "not_affected",
+      "justification": "vulnerable_code_not_in_execute_path",
+      "impact_statement": "The deprecated API containing the vulnerable code path is not reachable from any entry point. Static analysis found no paths, and runtime probes observed zero invocations over 72 hours.",
+      "stellaops:reachability": {
+        "state": "CU",
+        "state_description": "ConfirmedUnreachable",
+        "confidence": 0.88,
+        "graph_hash": "blake3:d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5",
+        "graph_cas_uri": "cas://reachability/graphs/d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5",
+        "dsse_uri": "cas://reachability/graphs/d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5.dsse",
+        "path": [],
+        "path_length": 0,
+        "evidence": {
+          "static": {
+            "graph_hash": "blake3:d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5",
+            "path_length": 0,
+            "confidence": 0.85,
+            "analysis_note": "No path found from any root to vulnerable symbol"
+          },
+          "runtime": {
+            "probe_id": "probe:jfr:scan-456-001",
+            "hit_count": 0,
+            "observed_at": "2025-12-13T09:45:00Z",
+            "observation_window": "72h",
+            "analysis_note": "Zero invocations observed during 72-hour monitoring window"
+          }
+        },
+        "fact_digest": "sha256:f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7",
+        "fact_version": 2,
+        "analyzer": {
+          "name": "scanner.java",
+          "version": "1.2.0"
+        }
+      }
+    }
+  ]
+}
--- a/samples/reachability/replay-manifest-v2-sample.json
+++ b/samples/reachability/replay-manifest-v2-sample.json
@@ -0,0 +1,62 @@
+{
+  "schema": "stellaops.replay.manifest@v2",
+  "subject": "scan:myapp-123",
+  "generatedAt": "2025-12-13T10:00:00Z",
+  "hashAlg": "blake3",
+  "artifacts": [
+    {
+      "kind": "richgraph",
+      "uri": "cas://reachability/graphs/a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2",
+      "hash": "blake3:a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2",
+      "dsseUri": "cas://reachability/graphs/a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2.dsse",
+      "size": 24576,
+      "mediaType": "application/json"
+    },
+    {
+      "kind": "runtime-facts",
+      "uri": "cas://reachability/runtime/sha256:xyz789abc123def456789012345678901234567890123456789012345678901234",
+      "hash": "sha256:xyz789abc123def456789012345678901234567890123456789012345678901234",
+      "size": 8192,
+      "mediaType": "application/x-ndjson"
+    },
+    {
+      "kind": "sbom",
+      "uri": "cas://scanner-artifacts/scan-myapp-123/sbom.cdx.json",
+      "hash": "sha256:def456abc789012345678901234567890123456789012345678901234567890123",
+      "size": 102400,
+      "mediaType": "application/vnd.cyclonedx+json"
+    },
+    {
+      "kind": "reachability-fact",
+      "uri": "cas://signals/facts/scan:myapp-123:pkg:maven/log4j:2.14.1:CVE-2021-44228",
+      "hash": "sha256:e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6",
+      "size": 4096,
+      "mediaType": "application/json"
+    }
+  ],
+  "analyzer": {
+    "name": "scanner.java",
+    "version": "1.2.0",
+    "toolchain_digest": "sha256:7b9e8c6d5a4f3e2d1c0b9a8f7e6d5c4b3a2f1e0d9c8b7a6f5e4d3c2b1a0f9e8d"
+  },
+  "code_id_coverage": {
+    "total_symbols": 1247,
+    "with_code_id": 1189,
+    "with_symbol_id": 1247,
+    "stripped_symbols": 58,
+    "coverage_pct": 95.3
+  },
+  "provenance": {
+    "scanner_version": "1.2.0",
+    "image_digest": "sha256:abc123def456789012345678901234567890123456789012345678901234abcd",
+    "scan_started_at": "2025-12-13T09:30:00Z",
+    "scan_completed_at": "2025-12-13T09:45:00Z",
+    "runtime_observation_window": "24h",
+    "runtime_probes_active": true
+  },
+  "determinism": {
+    "manifest_hash": "blake3:fedcba9876543210fedcba9876543210fedcba9876543210fedcba9876543210",
+    "reproducible": true,
+    "verified_at": "2025-12-13T10:00:00Z"
+  }
+}
--- a/samples/reachability/richgraph-v1-sample.json
+++ b/samples/reachability/richgraph-v1-sample.json
@@ -0,0 +1,117 @@
+{
+  "schema": "richgraph-v1",
+  "analyzer": {
+    "name": "scanner.java",
+    "version": "1.2.0",
+    "toolchain_digest": "sha256:7b9e8c6d5a4f3e2d1c0b9a8f7e6d5c4b3a2f1e0d"
+  },
+  "nodes": [
+    {
+      "id": "sym:java:bWFpbi0xMjM0NTY3ODkwYWJjZGVm",
+      "symbol_id": "sym:java:bWFpbi0xMjM0NTY3ODkwYWJjZGVm",
+      "code_id": "code:java:Y29kZS1tYWluLTEyMzQ1Njc4OTBhYmM",
+      "lang": "java",
+      "kind": "method",
+      "display": "com.example.app.Main.main(String[])",
+      "purl": "pkg:maven/com.example/app@1.0.0",
+      "build_id": null,
+      "symbol_digest": "sha256:a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2",
+      "symbol": {
+        "mangled": null,
+        "demangled": "com.example.app.Main.main(String[])",
+        "source": "DWARF",
+        "confidence": 1.0
+      },
+      "evidence": ["bytecode"],
+      "attributes": {}
+    },
+    {
+      "id": "sym:java:cHJvY2Vzc1JlcXVlc3QtYWJjZGVm",
+      "symbol_id": "sym:java:cHJvY2Vzc1JlcXVlc3QtYWJjZGVm",
+      "code_id": "code:java:Y29kZS1wcm9jZXNzLWFiY2RlZjEy",
+      "lang": "java",
+      "kind": "method",
+      "display": "com.example.app.RequestHandler.processRequest(HttpRequest)",
+      "purl": "pkg:maven/com.example/app@1.0.0",
+      "build_id": null,
+      "symbol_digest": "sha256:b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3",
+      "symbol": {
+        "mangled": null,
+        "demangled": "com.example.app.RequestHandler.processRequest(HttpRequest)",
+        "source": "DWARF",
+        "confidence": 0.98
+      },
+      "evidence": ["bytecode", "import"],
+      "attributes": {}
+    },
+    {
+      "id": "sym:java:bG9nRXJyb3ItMTIzNDU2Nzg5MGFiY2Q",
+      "symbol_id": "sym:java:bG9nRXJyb3ItMTIzNDU2Nzg5MGFiY2Q",
+      "code_id": "code:java:Y29kZS1sb2ctMTIzNDU2Nzg5MGFiY2Q",
+      "lang": "java",
+      "kind": "method",
+      "display": "org.apache.logging.log4j.Logger.error(String, Object...)",
+      "purl": "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1",
+      "build_id": null,
+      "symbol_digest": "sha256:c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4",
+      "symbol": {
+        "mangled": null,
+        "demangled": "org.apache.logging.log4j.Logger.error(String, Object...)",
+        "source": "DWARF",
+        "confidence": 0.95
+      },
+      "evidence": ["bytecode", "import"],
+      "attributes": {
+        "vulnerable": "CVE-2021-44228"
+      }
+    },
+    {
+      "id": "sym:java:dW51c2VkTWV0aG9kLWFiY2RlZjEyMzQ",
+      "symbol_id": "sym:java:dW51c2VkTWV0aG9kLWFiY2RlZjEyMzQ",
+      "code_id": "code:java:Y29kZS11bnVzZWQtYWJjZGVmMTIzNA",
+      "lang": "java",
+      "kind": "method",
+      "display": "com.example.app.Unused.unusedMethod()",
+      "purl": "pkg:maven/com.example/app@1.0.0",
+      "build_id": null,
+      "symbol_digest": "sha256:d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5",
+      "symbol": {
+        "mangled": null,
+        "demangled": "com.example.app.Unused.unusedMethod()",
+        "source": "DWARF",
+        "confidence": 0.92
+      },
+      "evidence": ["bytecode"],
+      "attributes": {}
+    }
+  ],
+  "edges": [
+    {
+      "from": "sym:java:bWFpbi0xMjM0NTY3ODkwYWJjZGVm",
+      "to": "sym:java:cHJvY2Vzc1JlcXVlc3QtYWJjZGVm",
+      "kind": "call",
+      "purl": "pkg:maven/com.example/app@1.0.0",
+      "symbol_digest": "sha256:b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3",
+      "confidence": 1.0,
+      "evidence": ["bytecode"],
+      "candidates": []
+    },
+    {
+      "from": "sym:java:cHJvY2Vzc1JlcXVlc3QtYWJjZGVm",
+      "to": "sym:java:bG9nRXJyb3ItMTIzNDU2Nzg5MGFiY2Q",
+      "kind": "virtual",
+      "purl": "pkg:maven/org.apache.logging.log4j/log4j-core@2.14.1",
+      "symbol_digest": "sha256:c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4",
+      "confidence": 0.92,
+      "evidence": ["bytecode", "import"],
+      "candidates": []
+    }
+  ],
+  "roots": [
+    {
+      "id": "sym:java:bWFpbi0xMjM0NTY3ODkwYWJjZGVm",
+      "phase": "runtime",
+      "source": "main"
+    }
+  ]
+}
--- a/samples/reachability/runtime-facts-sample.ndjson
+++ b/samples/reachability/runtime-facts-sample.ndjson
@@ -0,0 +1,3 @@
+{"symbolId":"sym:java:bWFpbi0xMjM0NTY3ODkwYWJjZGVm","codeId":"code:java:Y29kZS1tYWluLTEyMzQ1Njc4OTBhYmM","hitCount":1,"loaderBase":"0x7f1234560000","processId":12345,"processName":"java","containerId":"abc123def456","observedAt":"2025-12-13T09:30:00Z"}
+{"symbolId":"sym:java:cHJvY2Vzc1JlcXVlc3QtYWJjZGVm","codeId":"code:java:Y29kZS1wcm9jZXNzLWFiY2RlZjEy","hitCount":47,"loaderBase":"0x7f1234560000","processId":12345,"processName":"java","containerId":"abc123def456","observedAt":"2025-12-13T09:45:00Z"}
+{"symbolId":"sym:java:bG9nRXJyb3ItMTIzNDU2Nzg5MGFiY2Q","codeId":"code:java:Y29kZS1sb2ctMTIzNDU2Nzg5MGFiY2Q","hitCount":47,"loaderBase":"0x7f1234789000","processId":12345,"processName":"java","containerId":"abc123def456","observedAt":"2025-12-13T09:45:00Z"}
--- a/samples/runtime/java-fat-archive/libs/app-fat.jar
+++ b/samples/runtime/java-fat-archive/libs/app-fat.jar
--- a/samples/runtime/node-detection-gaps/package.json
+++ b/samples/runtime/node-detection-gaps/package.json
@@ -0,0 +1,11 @@
+{
+  "name": "node-detection-gaps",
+  "version": "0.0.0",
+  "private": true,
+  "workspaces": [
+    "packages/*"
+  ],
+  "dependencies": {
+    "multi": "^1.0.0"
+  }
+}
--- a/samples/runtime/node-detection-gaps/packages/app/package.json
+++ b/samples/runtime/node-detection-gaps/packages/app/package.json
@@ -0,0 +1,7 @@
+{
+  "name": "bench-app",
+  "version": "1.0.0",
+  "dependencies": {
+    "lib": "workspace:*"
+  }
+}
--- a/samples/runtime/node-detection-gaps/packages/app/src/index.ts
+++ b/samples/runtime/node-detection-gaps/packages/app/src/index.ts
@@ -0,0 +1,5 @@
+import { libValue } from "lib";
+import { helper } from "./util";
+
+export const value: number = libValue + helper();
+export * from "./util";
--- a/samples/runtime/node-detection-gaps/packages/app/src/util.ts
+++ b/samples/runtime/node-detection-gaps/packages/app/src/util.ts
@@ -0,0 +1,7 @@
+export function helper(): number {
+  return 1;
+}
+
+export async function dynamic(): Promise<unknown> {
+  return import("multi");
+}
--- a/samples/runtime/node-detection-gaps/packages/lib/package.json
+++ b/samples/runtime/node-detection-gaps/packages/lib/package.json
@@ -0,0 +1,4 @@
+{
+  "name": "lib",
+  "version": "2.0.0"
+}
--- a/samples/runtime/node-detection-gaps/packages/lib/src/index.ts
+++ b/samples/runtime/node-detection-gaps/packages/lib/src/index.ts
@@ -0,0 +1 @@
+export const libValue = 41;
--- a/samples/runtime/node-detection-gaps/yarn.lock
+++ b/samples/runtime/node-detection-gaps/yarn.lock
@@ -0,0 +1,13 @@
+__metadata:
+  version: 8
+  cacheKey: 10
+
+"multi@npm:^1.0.0":
+  version: "1.0.0"
+  resolution: "multi@npm:1.0.0"
+  checksum: "abcd1234"
+
+"multi@npm:^2.0.0":
+  version: "2.0.0"
+  resolution: "multi@npm:2.0.0"
+  integrity: "sha512-xyz987"